Biometric credentials for all bank clients eyed
The Duterte administration’s economic team is keen on having Malacañang order banks to require from their clients credentials backed by biometrics amid rising concern about security in financial services.
“I have attended a meeting of economic managers where there was a consensus that perhaps an executive order will be sufficient to institutionalize such an industry practice,” Nestor A. Espenilla Jr., deputy governor of the Bangko Sentral ng Pilipinas, said yesterday.
Espenilla spoke at a meeting of the Financial Executives Institute of the Philippines (Finex) where he was asked whether a law was needed to require biometrics from bank clients.
“This is being discussed in Congress and there’s a draft bill related to it,” Espenilla said. “But beyond legislation, I have also been in discussion with the Bankers Association of the Philippines. Perhaps the industry can come up with a commercial solution where a cooperative venture may be established.”
The incoming BSP governor, however, said that he would place his biggest bet on an EO to make this a required practice for banks.
“But I do hope that once we create [a resultant] identity data base, we would be mindful that this itself is creating a security risk,” Espenilla said. “It could be a target of cybercrime and may be compromised.”
Article continues after this advertisementHe added that by next month, the BSP was set to issue a set of enhanced information security guidelines. The official said this would be an update of BSP Circular 808 incorporating the latest standards on information security.
Article continues after this advertisementIssued in 2013, Circular 808 prescribes the requirements in safeguarding customers’ information and fraud management, among others, in relation to the offering of e-banking products and services.
Also, Espenilla warned industry players that they would soon have to face penalties for non-implementation of required security measures.
“I would suggest that, more than [getting worried about] regulatory penalties, that industry should consider the market consequences of a cyber attack simply because the customers [are put at risk] because of the non-implementation of [security standards],” he said. “There is no substitute to being prepared.”